github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1413] noroot not effective with ssh? #961

New issue

Closed

opened 2026-05-05 07:13:29 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:13:29 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Jul 29, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1413

So I'm currently trying to sandbox ssh and I'm running into something very interesting.
I use the following profile:

private-dev
private-tmp

shell none
x11 none
ipc-namespace
caps
noroot

When I start ssh with this profile, I would think that ssh (and anything spawned by it) would not have access to root. However, I am able to log in as usual and use sudo su to gain root privileges. Why is is this happening?

[Edit] I know that I'm inside the jail because I can use top to note that I can only see the ssh process and the bash spawned by it.

Originally created by @chiraag-nataraj on GitHub (Jul 29, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1413 So I'm currently trying to sandbox ssh and I'm running into something very interesting. I use the following profile: ```` private-dev private-tmp shell none x11 none ipc-namespace caps noroot ```` When I start ssh with this profile, I would think that ssh (and anything spawned by it) would not have access to root. However, I am able to log in as usual and use `sudo su` to gain root privileges. Why is is this happening? [Edit] I know that I'm inside the jail because I can use `top` to note that I can only see the `ssh` process and the `bash` spawned by it.

gitea-mirror closed this issue

2026-05-05 07:13:30 -06:00

gitea-mirror commented

2026-05-05 07:13:32 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jul 29, 2017):

Edit: did you ever find a fix for #1387 ?
Edit 2: I think you need nonewprivs in addition to noroot for it to be fully effective.

@SkewedZeppelin commented on GitHub (Jul 29, 2017): Edit: did you ever find a fix for #1387 ? Edit 2: I think you need nonewprivs in addition to noroot for it to be fully effective.

gitea-mirror commented

2026-05-05 07:13:34 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 29, 2017):

As to your first question, I did not - I still have to manually stop the command when interactively restarting it, but it spawns properly when booting up.

I will try nonewprivs, but I don't see why I need that in this profile when I don't need it for any other profiles for it to be effective. Is it because I have to spawn it as root to begin with?

@chiraag-nataraj commented on GitHub (Jul 29, 2017): As to your first question, I did not - I still have to manually stop the command when interactively restarting it, but it spawns properly when booting up. I will try `nonewprivs`, but I don't see why I need that in this profile when I don't need it for any other profiles for it to be effective. Is it because I have to spawn it as root to begin with?

gitea-mirror commented

2026-05-05 07:13:35 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 30, 2017):

Interesting. Using nonewprivs indeed worked, and I can't escalate within the ssh session. Thanks @SpotComms!

@chiraag-nataraj commented on GitHub (Jul 30, 2017): Interesting. Using `nonewprivs` indeed worked, and I can't escalate within the `ssh` session. Thanks @SpotComms!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#961

No description provided.

Rows
Columns